fix container publish args duplicates - container fails to deploy

Author: loehde

examples/gateway_https_multi_listener.yaml

@@ -0,0 +1,73 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: multi-listener-gateway
+spec:
+  gatewayClassName: cloud-provider-kind
+  listeners:
+  - protocol: HTTP
+    port: 80
+    hostname: "*.multi-listener.test"
+    name: wildcard
+    allowedRoutes:
+      namespaces:
+        from: All
+  - protocol: HTTP
+    port: 80
+    hostname: multi-listener.test
+    name: root
+    allowedRoutes:
+      namespaces:
+        from: All
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: multi-listener-route
+spec:
+  parentRefs:
+  - name: multi-listener-gateway
+  hostnames:
+    - route.multi-listener.test
+  rules:
+  - backendRefs:
+    - name: multi-listener-app-svc
+      port: 8080
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: multi-listener-app
+spec:
+  selector:
+    matchLabels:
+      app: MultiListenerApp
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: MultiListenerApp
+    spec:
+      containers:
+      - name: multi-listener-app
+        image: registry.k8s.io/e2e-test-images/agnhost:2.63.0
+        args:
+          - netexec
+          - --http-port=80
+          - --delay-shutdown=30
+        ports:
+          - name: httpd
+            containerPort: 80
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: multi-listener-app-svc
+spec:
+  type: ClusterIP
+  selector:
+    app: MultiListenerApp
+  ports:
+    - name: httpd
+      port: 8080
+      targetPort: 80

pkg/gateway/envoy.go

@@ -214,17 +214,27 @@ func createGateway(clusterName string, nameserver string, localAddress string, l
 		// advertised but not functional end-to-end (e.g. some GitHub Actions runners).
 		// For dual-stack or unspecified gateways, publish without an explicit address.
 		// See https://github.com/kubernetes-sigs/cloud-provider-kind/issues/387
+		seen := make(map[string]struct{})
 		for _, listener := range gateway.Spec.Listeners {
 			proto := "tcp"
 			if listener.Protocol == gatewayv1.UDPProtocolType {
 				proto = "udp"
 			}
+
+			var publishArg string
 			if listenAddress != "" {
 				hostPortBinding := net.JoinHostPort(listenAddress, fmt.Sprintf("%d", listener.Port))
-				args = append(args, fmt.Sprintf("--publish=%s:%d/%s", hostPortBinding, listener.Port, proto))
+				publishArg = fmt.Sprintf("--publish=%s:%d/%s", hostPortBinding, listener.Port, proto)
 			} else {
-				args = append(args, fmt.Sprintf("--publish=%d/%s", listener.Port, proto))
+				publishArg = fmt.Sprintf("--publish=%d/%s", listener.Port, proto)
+			}
+
+			if _, exists := seen[publishArg]; exists {
+				continue
 			}
+
+			seen[publishArg] = struct{}{}
+			args = append(args, publishArg)
 		}
 	}
 	args = append(args, "--publish-all")

tests/setup_suite.bash

@@ -15,7 +15,7 @@ function setup_suite {
   kind create cluster --name $CLUSTER_NAME -v7 --wait 1m --retain --config="$BATS_TEST_DIRNAME/kind.yaml"
 
   cd "$BATS_TEST_DIRNAME"/.. && make
-  nohup "$BATS_TEST_DIRNAME"/../bin/cloud-provider-kind -v 2 --gateway-channel=standard --enable-log-dumping --logs-dir "$ARTIFACTS_DIR" > "$ARTIFACTS_DIR"/ccm-kind.log 2>&1 &
+  nohup "$BATS_TEST_DIRNAME"/../bin/cloud-provider-kind -v 2 --gateway-channel=standard --enable-lb-port-mapping --enable-log-dumping --logs-dir "$ARTIFACTS_DIR" > "$ARTIFACTS_DIR"/ccm-kind.log 2>&1 &
   export CCM_PID=$!
 
   # test depend on external connectivity that can be very flaky

tests/tests.bats

@@ -119,6 +119,44 @@
     kubectl delete --ignore-not-found -f "$BATS_TEST_DIRNAME"/../examples/gateway_httproute_simple.yaml
 }
 
+@test "Gateway: Multiple HTTP Listeners on Same Port with enable-lb-port-mapping" {
+    # Apply a Gateway with two HTTP listeners on the same port (443) with different
+    # hostnames. This reproduces the bug where duplicate --publish=443/tcp args
+    # caused Docker to fail with exit status 125.
+    kubectl apply -f "$BATS_TEST_DIRNAME"/../examples/gateway_https_multi_listener.yaml
+
+    # Wait for the backend application pod to be ready
+    kubectl wait --for=condition=ready pods -l app=MultiListenerApp --timeout=60s
+
+    # Retry loop to get the Gateway's external IP address
+    for i in {1..10}
+    do
+        IP=$(kubectl get gateway multi-listener-gateway --output jsonpath='{.status.addresses[0].value}' 2>/dev/null)
+        [[ ! -z "$IP" ]] && break || sleep 1
+    done
+    if [[ -z "$IP" ]]; then
+      echo "Failed to get Gateway IP address"
+      return 1
+    fi
+    echo "Gateway IP: $IP"
+
+    # Verify the gateway container is reachable (if duplicates existed, container creation would have failed)
+    for i in {1..10}
+    do
+        HOSTNAME=$(curl -s --connect-timeout 5 http://${IP}/hostname -H "Host: route.multi-listener.test" || true)
+        [[ ! -z "$HOSTNAME" ]] && break || sleep 1
+    done
+    if [[ -z "$HOSTNAME" ]]; then
+      echo "Failed to get hostname via Gateway"
+      return 1
+    fi
+    echo "Hostname via Gateway: $HOSTNAME"
+
+    # Cleanup
+    kubectl delete --ignore-not-found -f "$BATS_TEST_DIRNAME"/../examples/gateway_https_multi_listener.yaml
+}
+
+
 
 @test "Ingress to Gateway Migration and X-Forwarded-For Header" {
     # Apply the Gateway and HTTPRoute manifests
@@ -258,4 +296,4 @@ EOF
     kubectl delete deployment ws-echo
     kubectl delete service ws-service
     kubectl delete ingress ws-ingress
-}
+}